By Thomas Helmer, Senior Director, CS&A International – As published in AmCham Connect on 2 November 2015.
From achieving compliance to driving improvements, audits have become a staple of the corporate life cycle. Getting the most from your audits can be a challenge.
Regrettably, many companies and their employees see auditing as a burden best dealt with the least
amount of effort to get off their agenda as quickly as possible. This often results in poor ratings, lots of action points and, worst of all, no ownership of any gaps.
Actually, auditing is an excellent opportunity to demonstrate that your function or department follows the company processes, procedures and work instructions, but it is also a chance to solicit recognition for known organizational weaknesses that need specific attention.
For example, auditing the effectiveness of your risk management process, the preparedness of your crisis and emergency response management capability and business continuity plans, is particularly important as such topics are seldom practiced in day-to-day activities. As risks and threats evolve and companies restructure, merge or divest, verifying risk, crisis and business continuity readiness via audits is a critical step towards increased resilience.
Part of the legal remit of the board of companies is to have an effective auditing program. Since the United States’ Sarbanes-Oxley Act (2002), auditing is not limited to the financial auditing needs that publicly listed companies have to get their quarterly and annual reports verified. Boards, shareholders and investors want to be satisfied that owners’ interests are protected. This can and should cover all main corporate business risks and key controls. Therefore, corporate boards should set the tone and drive the expectations and are instrumental in generating the right behaviors.
The development of a robust auditing program starts with a risk register highlighting the significant risks the organization is facing. For each risk, sufficient controls must be in place.
It is a fact that organizations are increasingly more complex, therefore most companies must have a corporate management system in place that documents how the company is organized and expected to operate. Corporate management systems include policies, standards, processes and procedures that are intended to cover defined risks and document the controls needed. It is these controls that must be audited from time to time to verify that they are still effective, i.e. is the organization being audited complying with its own standards?
Successful audits must include the following critical aspects:
- They must be risk-based
- They must include a combination of document review, one-on-one interviews and direct observation
- Identified gaps must be material to the objectives of the organization and must be validated
- They should provide an opinion about the effectiveness of internal controls of the organization
- Findings, associated evidence and proposed gap closing actions must be provided in the final audit report
Independent auditors with topical expertise are critical to conducting effective audits because they provide a completely impartial view. When comparing a company against its own processes and procedures and against best-in-class capabilities, professional auditors can detect and highlight potential managerial problems that threaten the organization.
Highly effective organizations are audited frequently on all critical processes. They consider audits an opportunity to identify gaps, learn, improve and adapt quickly rather than a tick box exercise. Is it time to check whether you get the most from your audits?
Thomas Helmer is Senior Director with CS&A International, an international risk, crisis and business continuity firm with worldwide operations. He is based in Amsterdam, Brussels and Hong Kong.